Wide open Guest account.
Stolen Laptop.
Open relay mail server.

It's like a Spy Novel.

I guess my premise was you could setup that server yourself and use it as the relay. Which I suppose would be non-trivial and still requires a relay. My understanding of email servers is not great which I suppose has been demonstrated lol.
My wish to maintain a email-based notification would be the non-synchronous state and easy alertness it would provide.

In any case, a disposable email/password relay would be a option..

What would be nice is a method of channelling increased amounts of information rather then just the ip address. Nearby SSIDS, ssh access, even uptime would be useful. As I wrote earlier, having ssh access would be phenomenal since it would give access to a camera if the laptop has one, even recording motion (thief using the laptop) and sending it somewhere.

Here's a possibility:
setup sudo to permit guest user to run this single command: /usr/sbin/sshd -p 9998 (gets around difficulty with forwarding privileged ports)
locally forward 9998 to 9998 on server X with ssh ensuring the key used is for a account with shell set to /bin/false and only permitted to forward ports.

Nice idea but the issue would be that most internet connections nowadays are behind some form of NAT with a stateful firewall built in -- meaning that to get to internal IP addresses a port needs to be opened in the firewall.
Yes, I've been thinking a fair bit about this myself.

I had it backwards, it's a reverse port forward. Essentially, make a outbound connection to VPS and forward all remote traffic on port 9987 to local port 22.
This actually circumvents firewalls as long as the computer is permitted by the network to make a outbound connection. It would be very difficult to view a webpage if outbound connections were denied.

Edit:
All traffic over those ports is forwarded through the ssh session

Right, OK, so how do you put the hole in the firewall to let it in?
I know NATs aren't all that good at stopping attacks but I can't recall an attack to open a port then forward to an IP beyond that.

There's no hole put in the firewall, it's still doing its job. If I understand it correctly, upon doing the ssh remote bind, ssh binds port n on server to client port x. Then if traffic is sent over those ports, it is sent over the already existing ssh connection. I guess the way to test would be to have a VPS. Then bind a publicly accessible port to your client port that is guarded by the firewall. Then try to connect to the VPS accessible port. You should suddenly have access. I haven't tested it much but it's supposed to be a very effective way of getting around firewalls.
It's also supposed to be a reason why ssh is often blocked on corporate firewalls..

A demo might explain better:
I run this ssh -R 9998:127.0.0.1:9997 hostname
Then I did nc -l 9997 on client
Then I did echo foo | nc 127.0.0.1 9998 on VPS

Success! My firewall on client does not allow connections to 9997 but traffic went through!


It's not really a attack though. You've been granted access through ssh and have been authenticated. programs are permitted to bind ports when run, it's really just a extension of ssh functionality, rather then any real "crack". Nothing to fix since there was never really a exploit.

_______


In relating to the script, whent he guest user logs in, it will attempt to make a network connection, then attempt to do the above ssh connection (key based so no password) on a limited account that binds some port on the VPS to port 9998 (which has a sshd server running on that port) on the stolen computer. Then in the same manner, no matter what firewall, OP can then login to their computer.

1 members found this post helpful.

Ah, yes, clever.

I'll have to come back to this when I have more time; most of this tech talk is beyond my current knowledge. Thanks for all the info though guys!

Also, LOL at the spy movie joke. =P